How we pwned X (Twitter), Vercel, Cursor, Discord, and hundreds of companies through a supply-chain attack
hi, i’m daniel. i’m a 16-year-old high school senior. in my free time, i hack billion dollar companies and build cool stuff.
about a month ago, a couple of friends and I found serious critical vulnerabilities on Mintlify, an AI documentation platform used by some of the top companies in the world.
i found a critical cross-site scripting vulnerability that, if abused, would let an attacker to inject malicious scripts into the documentation of numerous companies and steal credentials from users with a single link open.
(go read my friends’ writeups (after this one)) [how to hack discord, vercel, and more with one easy trick (eva)](https:/…
How we pwned X (Twitter), Vercel, Cursor, Discord, and hundreds of companies through a supply-chain attack
hi, i’m daniel. i’m a 16-year-old high school senior. in my free time, i hack billion dollar companies and build cool stuff.
about a month ago, a couple of friends and I found serious critical vulnerabilities on Mintlify, an AI documentation platform used by some of the top companies in the world.
i found a critical cross-site scripting vulnerability that, if abused, would let an attacker to inject malicious scripts into the documentation of numerous companies and steal credentials from users with a single link open.
(go read my friends’ writeups (after this one)) how to hack discord, vercel, and more with one easy trick (eva) Redacted by Counsel: A supply chain postmortem (MDL)
here’s my story...
My story begins on Friday, November 7, 2025, when Discord announced a brand new update to their developer documentation platform. They were previously using a custom built documentation platform, but were switching to an AI-powered documentation platform.
Discord is one of my favorite places to hunt for vulnerabilities since I’m very familiar with their API and platform. I’m at the top of their bug bounty leaderboard having reported nearly 100 vulnerabilities over the last few years. After you’ve gone through every feature at least 10 times, it gets boring.
I found this new update exciting, and as soon as I saw the announcement, I started looking through how they implemented this new documentation platform.
Mintlify
Mintlify is an AI-powered documentation platform. You write your documentation as markdown and Mintlify turns it into a beautiful documentation platform with all the modern features a documentation platform needs. (Despite the vulnerabilities we found, I would highly recommend them. They make it really easy to create beautiful docs that work.)
Mintlify-hosted documentation sites are on the *.mintlify.app domains, with support for custom domains. In Discord’s case, they were just proxying certain routes to their Mintlify documentation at discord.mintlify.app.
Every Mintlify subdomain has a /_mintlify/* path that is used internally on the platform to power certain features. Regardless of whether it’s hosted through the mintlify.app domain or a custom domain, the /_mintlify path must be accessible to power the documentation.
(For example, the /api/user path for authentication: https://docs.x.com/_mintlify/api/user, https://discord.com/_mintlify/api/user, etc)
/_mintlify/markdown/
After Discord switched to Mintlify and when I started looking for bugs on the platform, from the get-go, my plan was to find a way to render another Mintlify documentation through Discord’s domain.
At first, I tried path traversal attacks, but they didn’t work. Then, I started looking through the /_mintlify API endpoints.
Using Chrome DevTools to search the assets, I found the endpoint /_mintlify/_markdown/_sites/[subdomain]/[...route]. It accepted any Mintlify documentation ([subdomain]) and it returned a file from that specific documentation ([...route]). The endpoint didn’t check to make sure the [subdomain] matched with the current host, which means you could fetch files from any Mintlify documentation on an host with the /_mintlify/ route.
Unfortunately, this endpoint only returned raw markdown text. The markdown wasn’t rendered as HTML, meaning it was impossible to run code. I spent the rest of the time trying different ways to bypass this, but nothing worked.
/_mintlify/static/
Fast forward 2 days to Sunday, November 9, 2025, I went back to hunting.
I was confident there was another endpoint, like the markdown one, which could fetch and return cross-site data, but I couldn’t find one. I tried searching web assets and some other techniques, but I couldn’t find the endpoint I was looking for.
Finally, I decided to look through the Mintlify CLI. Mintlify lets you run your documentation site locally via their npm package (@mintlify/cli). I realized that this probably meant the code powering the documentation platform was somewhat public.
After digging through the package and downloading tarballs linked in the code, I found myself at exactly what I was looking for.
Jackpot!
This was a list of application endpoints (compiled by Nextjs), and in the middle, there’s the endpoint /_mintlify/static/[subdomain]/[...route].
Like the markdown endpoint, this endpoint accepted any Mintlify documentation ([subdomain]). The only difference was this endpoint returned static files from the documentation repo.
First, I tried accessing HTML and JavaScript files but it didn’t work; I realized there was some sort of whitelist of file extensions. Then, I tried an SVG file, and it worked.
If you didn’t know, you can embed JavaScript into an SVG file. The script doesn’t run unless the file is directly opened (you can’t run scripts from (<img src="/image.svg">). This is very common knowledge for security researchers.
I created an SVG file with an embedded script, uploaded it to my Mintlify documentation, and opened the endpoint through Discord (https://discord.com/_mintlify/_static/hackerone-a00f3c6c/lmao.svg). It worked!
Collaboration
XSS attacks are incredibly rare on Discord, so I shared it with a couple friends.
I sent a screenshot to xyzeva, only to find out she had also been looking into Mintlify after the Discord switch. She had previously discovered other vulnerabilities on the Mintlify platform, and had found more that she was preparing to disclose (go read her writeup!). I find it funny we had both separately been looking into Mintlify and found very different, but very critical bugs.
Another friend joined, and we created a group chat.
Reporting
We reported the vulnerability to Discord and attempted to contact Mintlify through an employee.
Discord took this very seriously, and closed off its entire developer documentation for 2 hours while investigating the impact of this vulnerability. Then, they reverted to their old documentation platform and removed all the Mintlify routes. https://discordstatus.com/incidents/by04x5gnnng3
Mintlify contacted us directly very shortly after hearing about the vulnerability through Discord. We set up a Slack channel with Mintlify’s engineering team and got to work. Personally, this cross-site scripting attack was the only thing I had the time to find; eva and MDL worked with Mintlify’s engineering team to quickly remediate this and other vulnerabilities they found on the platform.
Impact
In total, the cross-site scripting attack affected almost every Mintlify customer. To name a few: X (Twitter), Vercel, Cursor, Discord, and more.
These customers host their documentation on their primary domains and were vulnerable to account takeovers with a single malicious link.
Conclusion
Fortunately, we responsibly found and disclosed this vulnerability but this is an example of how compromising a single supply chain can lead to a multitude of problems.
In total, we collectively recieved ~$11,000 in bounties. Discord paid $4,000 and Mintlify individually gave us bounties for the impact of the bugs we individually found.